I have the panw module enabled in filebeat along with other modules enabled as well. For the panw module I have configured it as shown below
- module: panw
panos:
enabled: true
# Set which input to use between syslog (default) or file.
var.input: syslog
var.syslog_host: localhost
var.syslog_port: 9004
I am also sending this to via logstash to the ELK stack.
So my palo.conf file is listed below as well.
input {
beats{
port => 9004
}
}
filter {
}
output {
stdout {}
# elasticsearch {
# hosts => ["<elasticsearchhost>"]
# user => "<changeme>"
# password => "<changeme>"
# index => "paloalto-000001"
# }
}
When I stop filebeat and logstash services and run netcat to listen on the specified udp port, I can see the data come in with no issue.
When I start filebeat, and then run bin/logstash -f /etc/logstash/conf.d/palo.conf to test my config and to make sure that everything is printing to screen properly, nothing shows. Just like I am not receiving any data at all.
Which I know is not accurate as netcat shows data coming in. I am not sure if the disconnect is in my filebeat.yml or the filebeat module, or even in my logstash.yml or palo.conf file.
Any suggestions would be helpful.
Thanks,